The following example shows how to set up a file system so
that anyone in the staff group can create and mount file systems in the
tank file system, as well as destroy their own file systems. However, staff
group members cannot destroy anyone else's file systems.

Ensure that you delegate users permission at the correct file system level. For
example, user marks is delegated create, destroy, and mount permissions for the
local and descendent file systems. User marks is delegated local permission to snapshot the
tank file system, but he is not allowed to snapshot his own file
system. So, he has not been delegated the snapshot permission at the correct
file system level.

Now, user marks can only create a snapshot below the tank file system
level.

Example 9-4 Defining and Using Complex Delegated Permissions

You can delegate specific permissions to users or groups. For example, the following
zfs allow command delegates specific permissions to the staff group. In addition, destroy and
snapshot permissions are delegated after tank file systems are created.

Because user marks is a member of the staff group, he can create
file systems in tank. In addition, user marks can create a snapshot
of tank/marks2 because he has specific permissions to do so. For example:

The following example shows how to create the permission set @myset and
delegates the permission set and the rename permission to the group staff for
the tank file system. User cindys, a staff group member, has the permission to
create a file system in tank. However, user lp doesnot have permission to
create a file system in tank.